New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG 1885353: protect openshift traffic by using dedicated flowschema #968
BUG 1885353: protect openshift traffic by using dedicated flowschema #968
Conversation
@tkashem: No Bugzilla bug is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
547b7e6
to
9186ce2
Compare
@tkashem: This pull request references Bugzilla bug 1885353, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
9186ce2
to
b0c46c8
Compare
/lgtm |
/bugzilla refresh Recalculating validity in case the underlying Bugzilla bug has changed. |
@openshift-bot: This pull request references Bugzilla bug 1885353, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/bugzilla refresh Recalculating validity in case the underlying Bugzilla bug has changed. |
@openshift-bot: This pull request references Bugzilla bug 1885353, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
b0c46c8
to
fe3c816
Compare
@tkashem: This pull request references Bugzilla bug 1885353, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/lgtm |
/bugzilla refresh |
@sttts: This pull request references Bugzilla bug 1885353, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/bugzilla refresh Recalculating validity in case the underlying Bugzilla bug has changed. |
@openshift-bot: This pull request references Bugzilla bug 1885353, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 6 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/hold doing some research whether we need to make SAR from oas/oauth exempt. |
Define dedicated flowschema and priority configuration that will protect openshift specific traffic. - SAR from oas is very important - kcm, other oas requests, metrics requests from openshift-monitoring is pretty important - control plane operators are important (kas-o, oas-o, auth operator, etcd operator) - workloads-low goes below the traffic defined above.
fe3c816
to
05c5bdb
Compare
@tkashem: This pull request references Bugzilla bug 1885353, which is valid. 6 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
1 similar comment
@tkashem: This pull request references Bugzilla bug 1885353, which is valid. 6 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
we are making SAR from oas/oauth exempt since borrowing is not supported in p&f /hold cancel |
/bugzilla cc-qa |
@wangke19: This pull request references Bugzilla bug 1885353, which is valid. 6 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Launched one 4.5 cluster with this PR successfully, verification steps see https://bugzilla.redhat.com/show_bug.cgi?id=1885353#c3. |
/lgtm |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, sttts, tkashem, wangke19 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
@tkashem: All pull requests linked via external trackers have merged: Bugzilla bug 1885353 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Define dedicated flowschema and priority configuration that will protect openshift specific traffic.
SAR
fromoas
is very important (exempt)oas
requests,oauth server
requests, metrics requests from openshift-monitoring is pretty importantworkloads-low
goes below the traffic defined above.Question:
tokenreviews
fromoas
as important asSAR
?cvo
in the control plane operators, or are there traffic from any other critical operators that we should protect?After applying the above configuration, we can see that the number of requests from
workload-low
drops. This implies that traffic from oas,/metrics
call from openshift monitoring, traffic from control plane operators are not being throttled anymore.